[Samba] Kerberized-nfs4 home-dir stopped working

Philippe Clérié pclerie at gmail.com
Wed Jun 15 15:55:36 UTC 2022

Increasing Verbosity in /etc/idmapd.conf on both sides should give you some
logging for id mapping. I would start with 5.

I think that Debian 11 has moved to using an nfs-utils helper script, which
changes some of the variables used in the systemd scripts. (I am still on
Ubuntu 20.04 so I haven't played with those yet.) There ought to be
variables for the options to rpc.gssd on the client side, and rpc.svcgssd
on the server. If you set those options to -vvv you should get a lot of

Hope that helps


The trouble with common sense is that it is so uncommon.

On Tue, Jun 14, 2022 at 5:27 PM Kees van Vloten via samba <
samba at lists.samba.org> wrote:

> Hi Team,
> I have been using Kerberized nfs4 between 2 domain-members successfully
> since August last year.
> All machines are Debian 11. The NFS-server and the desktop run with
> stock Samba 4.13.
> Two days ago while I was working on the desktop-machine nfs stopped
> communicating. After rebooting the desktop I can login with my domain
> credentials on the console (not graphical as it requires home-dir
> access) but the home-dir is not there.
> - wbinfo reports active connection (on all 3 items).
> - klist in my user on the desktop shows a valid ticket and if I login on
> the nfsserver I get a valid ticket there as well
> - system time is in sync on both machines
> - resolving of domain users,groups,hosts through getent works fine, i.e.
> winbind is working on both sides
> - On the DCs (I run Louis' 4.15.7 here) I have auditing enabled but
> audit.log does not show any failures, while trying to access /home from
> the desktop
> /home on the desktop gets mounted by autofs with the equivalent of:
> mount -t nfs4 -o rw,soft,sync,nodev,exec,nosuid,noatime,fsc,sec=krb5p
> nfsserver.example.com:/home /home
> Exports on the nfsserver:
> # Root path
> /srv/nfs
> # Share paths
> /srv/nfs/home
> Where /srv/nfs/home is a bind-mount to /home
> Unfortunately I have not found a way to find some useful logging on
> either side.
> In the end I replaced sec=krb5p on both sides (exports and autofs) with
> sec=sys and then there is immediately access. That tells me the problem
> must be related to Kerberos, which was my initial suspicion due to the
> way it stopped working 2 days ago (nothing changed in the configurations
> on either side).
> What would be the next thing to investigate?
> - Kees.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list